Your company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing more to do – it’s all over, right? Not quite – there is a good likelihood your organization may be subject to a regulatory investigation as a result of the incident.
In 2016, we assisted clients in over 450 data security incidents. Among the trends revealed by our analysis of these incidents, we found that regulators, including state attorneys general, continue to make inquiries in the wake of data security events. In fact, in the incidents we handled, attorneys general made inquiries 29 percent of the time after notifications were made. This is up from 26 percent the prior year.
This uptick in activity may be due to the fact that more states are now requiring notification to regulators after a breach. And no attorney general wants to appear weak on consumer privacy. So, to the extent a breach makes the news or may affect a large number of residents in a particular state, a regulatory investigation is increasingly likely to follow.
Accordingly, a prudent organization should be prepared to answer questions regulators might ask. The questions and information sought may include:
- A description/diagram of your network environment.
- A copy of the forensic investigation.
- A detailed narrative description of the incident.
- How was the intrusion detected? When was it detected and when was it stopped?
- Copies of policies and procedures and your Written Information Security Plan.
- Why did it take you so long to notify consumers?
- Was law enforcement notified?
- Are you offering credit monitoring? If so, for how many years?
- Provide a timeline of the incident and investigation from discovery to notification.
How these questions are answered may very well determine whether further enforcement efforts are pursued, which could lead to fines and penalties. The issues that regulators will focus on include encryption, slow detection of incidents, slow notification and ignoring vulnerabilities identified in past risk assessments. Some states will automatically ask for a detailed timeline of the incident if notification took place more than 30 days after discovery.
In light of the increased regulatory activity, it’s important to consider that incident response is more than just notifying affected individuals and complying with applicable laws. Any incident response strategy should also consider how the investigation, communications (internally and externally) and actions taken in response to the incident would be viewed by a regulator. This is why it is essential to view incident response as not just checking boxes, but as part of an overall legal strategy, taking into account potential regulatory investigations and enforcement.